key_manager: Add service user options for Barbican key manager
This change introduces some parameters to set up the service user token feature for Barbican key manager, which was implemented during the Xena cycle[1]. [1] 162039467ad0dfc5e25a16b75d9072d607690702 Depends-on: https://review.opendev.org/810451 Change-Id: I217e20e3d10fecffd3fb8654f047a7e285331723
This commit is contained in:
parent
cf3f239de0
commit
3453611d08
|
@ -33,14 +33,19 @@
|
|||
# (Optional) Specifies the region of the chosen endpoint.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*send_service_user_token*]
|
||||
# (Optional) The service uses service token feature when this is set as true.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
class nova::key_manager::barbican (
|
||||
$barbican_endpoint = $::os_service_default,
|
||||
$barbican_api_version = $::os_service_default,
|
||||
$auth_endpoint = $::os_service_default,
|
||||
$retry_delay = $::os_service_default,
|
||||
$number_of_retries = $::os_service_default,
|
||||
$barbican_endpoint_type = $::os_service_default,
|
||||
$barbican_region_name = $::os_service_default,
|
||||
$barbican_endpoint = $::os_service_default,
|
||||
$barbican_api_version = $::os_service_default,
|
||||
$auth_endpoint = $::os_service_default,
|
||||
$retry_delay = $::os_service_default,
|
||||
$number_of_retries = $::os_service_default,
|
||||
$barbican_endpoint_type = $::os_service_default,
|
||||
$barbican_region_name = $::os_service_default,
|
||||
$send_service_user_token = $::os_service_default,
|
||||
) {
|
||||
|
||||
include nova::deps
|
||||
|
@ -56,12 +61,13 @@ class nova::key_manager::barbican (
|
|||
})
|
||||
|
||||
oslo::key_manager::barbican { 'nova_config':
|
||||
barbican_endpoint => $barbican_endpoint_real,
|
||||
barbican_api_version => $barbican_api_version_real,
|
||||
auth_endpoint => $auth_endpoint_real,
|
||||
retry_delay => $retry_delay,
|
||||
number_of_retries => $number_of_retries,
|
||||
barbican_endpoint_type => $barbican_endpoint_type,
|
||||
barbican_region_name => $barbican_region_name,
|
||||
barbican_endpoint => $barbican_endpoint_real,
|
||||
barbican_api_version => $barbican_api_version_real,
|
||||
auth_endpoint => $auth_endpoint_real,
|
||||
retry_delay => $retry_delay,
|
||||
number_of_retries => $number_of_retries,
|
||||
barbican_endpoint_type => $barbican_endpoint_type,
|
||||
barbican_region_name => $barbican_region_name,
|
||||
send_service_user_token => $send_service_user_token,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
# == Class: nova::key_manager::barbican::service_user
|
||||
#
|
||||
# Setup and configure the service token feature for Barbican Key Manager
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*password*]
|
||||
# (Required) Password to create for the service user
|
||||
#
|
||||
# [*username*]
|
||||
# (Optional) The name of the service user
|
||||
# Defaults to 'nova'
|
||||
#
|
||||
# [*auth_url*]
|
||||
# (Optional) The URL to use for authentication.
|
||||
# Defaults to 'http://localhost:5000'
|
||||
#
|
||||
# [*project_name*]
|
||||
# (Optional) Service project name
|
||||
# Defaults to 'services'
|
||||
#
|
||||
# [*user_domain_name*]
|
||||
# (Optional) Name of domain for $username
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*project_domain_name*]
|
||||
# (Optional) Name of domain for $project_name
|
||||
# Defaults to 'Default'
|
||||
#
|
||||
# [*insecure*]
|
||||
# (Optional) If true, explicitly allow TLS without checking server cert
|
||||
# against any certificate authorities. WARNING: not recommended. Use with
|
||||
# caution.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*auth_type*]
|
||||
# (Optional) Authentication type to load
|
||||
# Defaults to 'password'
|
||||
#
|
||||
# [*auth_version*]
|
||||
# (Optional) API version of the admin Identity API endpoint.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*cafile*]
|
||||
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
|
||||
# connections.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*certfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*keyfile*]
|
||||
# (Optional) Required if identity server requires client certificate
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*region_name*]
|
||||
# (Optional) The region in which the identity server can be found.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
class nova::key_manager::barbican::service_user(
|
||||
$password,
|
||||
$username = 'nova',
|
||||
$auth_url = 'http://localhost:5000',
|
||||
$project_name = 'services',
|
||||
$user_domain_name = 'Default',
|
||||
$project_domain_name = 'Default',
|
||||
$insecure = $::os_service_default,
|
||||
$auth_type = 'password',
|
||||
$auth_version = $::os_service_default,
|
||||
$cafile = $::os_service_default,
|
||||
$certfile = $::os_service_default,
|
||||
$keyfile = $::os_service_default,
|
||||
$region_name = $::os_service_default,
|
||||
) {
|
||||
|
||||
include nova::deps
|
||||
|
||||
oslo::key_manager::barbican::service_user { 'nova_config':
|
||||
username => $username,
|
||||
password => $password,
|
||||
auth_url => $auth_url,
|
||||
project_name => $project_name,
|
||||
user_domain_name => $user_domain_name,
|
||||
project_domain_name => $project_domain_name,
|
||||
insecure => $insecure,
|
||||
auth_type => $auth_type,
|
||||
auth_version => $auth_version,
|
||||
cafile => $cafile,
|
||||
certfile => $certfile,
|
||||
keyfile => $keyfile,
|
||||
region_name => $region_name,
|
||||
}
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The following parameter and class have been added, to support usage of
|
||||
the service token feature with the Barbican key manager.
|
||||
|
||||
- The ``nova::key_manager::barbican::send_service_user_token`` parameter
|
||||
- The ``nova::key_manager::barbican::service_user`` class
|
|
@ -0,0 +1,79 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'nova::key_manager::barbican::service_user' do
|
||||
shared_examples 'nova::key_manager::barbican::service_user' do
|
||||
|
||||
let :params do
|
||||
{ :password => 'secret' }
|
||||
end
|
||||
|
||||
context 'with default parameters' do
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
|
||||
:username => 'nova',
|
||||
:password => 'secret',
|
||||
:auth_url => 'http://localhost:5000',
|
||||
:project_name => 'services',
|
||||
:user_domain_name => 'Default',
|
||||
:project_domain_name => 'Default',
|
||||
:insecure => '<SERVICE DEFAULT>',
|
||||
:auth_type => 'password',
|
||||
:auth_version => '<SERVICE DEFAULT>',
|
||||
:cafile => '<SERVICE DEFAULT>',
|
||||
:certfile => '<SERVICE DEFAULT>',
|
||||
:keyfile => '<SERVICE DEFAULT>',
|
||||
:region_name => '<SERVICE DEFAULT>',
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
context 'with specified parameters' do
|
||||
before :each do
|
||||
params.merge!({
|
||||
:username => 'alt_nova',
|
||||
:auth_url => 'http://127.0.0.1:5000',
|
||||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'Domain1',
|
||||
:project_domain_name => 'Domain2',
|
||||
:insecure => false,
|
||||
:auth_type => 'v3password',
|
||||
:auth_version => 'v3',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:keyfile => 'keyfile',
|
||||
:region_name => 'regionOne',
|
||||
})
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
|
||||
:username => 'alt_nova',
|
||||
:password => 'secret',
|
||||
:auth_url => 'http://127.0.0.1:5000',
|
||||
:project_name => 'alt_services',
|
||||
:user_domain_name => 'Domain1',
|
||||
:project_domain_name => 'Domain2',
|
||||
:insecure => false,
|
||||
:auth_type => 'v3password',
|
||||
:auth_version => 'v3',
|
||||
:cafile => '/opt/stack/data/cafile.pem',
|
||||
:certfile => 'certfile.crt',
|
||||
:keyfile => 'keyfile',
|
||||
:region_name => 'regionOne',
|
||||
)
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_behaves_like 'nova::key_manager::barbican::service_user'
|
||||
end
|
||||
end
|
||||
end
|
|
@ -5,13 +5,14 @@ describe 'nova::key_manager::barbican' do
|
|||
context 'with default parameters' do
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
|
||||
:barbican_endpoint => '<SERVICE DEFAULT>',
|
||||
:barbican_api_version => '<SERVICE DEFAULT>',
|
||||
:auth_endpoint => '<SERVICE DEFAULT>',
|
||||
:retry_delay => '<SERVICE DEFAULT>',
|
||||
:number_of_retries => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint_type => '<SERVICE DEFAULT>',
|
||||
:barbican_region_name => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint => '<SERVICE DEFAULT>',
|
||||
:barbican_api_version => '<SERVICE DEFAULT>',
|
||||
:auth_endpoint => '<SERVICE DEFAULT>',
|
||||
:retry_delay => '<SERVICE DEFAULT>',
|
||||
:number_of_retries => '<SERVICE DEFAULT>',
|
||||
:barbican_endpoint_type => '<SERVICE DEFAULT>',
|
||||
:barbican_region_name => '<SERVICE DEFAULT>',
|
||||
:send_service_user_token => '<SERVICE DEFAULT>',
|
||||
)
|
||||
|
||||
is_expected.to contain_package('cryptsetup').with(
|
||||
|
@ -24,25 +25,27 @@ describe 'nova::key_manager::barbican' do
|
|||
context 'with specified parameters' do
|
||||
let :params do
|
||||
{
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:send_service_user_token => true,
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:barbican_endpoint => 'http://localhost:9311/',
|
||||
:barbican_api_version => 'v1',
|
||||
:auth_endpoint => 'http://localhost:5000',
|
||||
:retry_delay => 1,
|
||||
:number_of_retries => 60,
|
||||
:barbican_endpoint_type => 'public',
|
||||
:barbican_region_name => 'regionOne',
|
||||
:send_service_user_token => true,
|
||||
)
|
||||
|
||||
is_expected.to contain_package('cryptsetup').with(
|
||||
|
|
Loading…
Reference in New Issue